Is Your VPN Connection Secured??

VPN connectivity…I shall not sugarcoat it on how amazing this technology that is an integral part of the current “Digital Transformation” wave which enables workers to work from anywhere with an internet connection.  Everyone who requires a VPN connection back to the office hated the latency and inconvenience it posed, however many IT managers are not aware of the security risks that comes together with it.

To break it down simply…. VPNs punch holes in the network perimeter to allow remote users to operate like how they would in the office. Once inside, individuals can access EVERYTHING!!! This could include, critically sensitive content like private keys, cryptographic salts, and log files. This situation is definitely unacceptable. There has to be a better method to give every application control over precisely who is allowed to reach it.

Cloudflare Access is the solution. By moving your browser based applications behind Cloudflare Access, team members could connect to applications faster without geographical restrictions, WITH improved security of the entire organisation.

However, we weren’t yet ready to turn off our VPN as some tasks are better done through a command line. We cannot #EndTheVPN without replacing all of its use cases. Reaching a server from the command line required us to fall back to our VPN.

Reach a protected API

Cloudflare Access protects your application by checking for a valid JSON Web Token (JWT), whether the request comes through a browser or from the command line. Cloudflare would issue and sign that JWT when you successfully login with your identity provider. That token contains claims about your identity and session. The Cloudflare network looks at the claims in that token to determine if the request should proceed to the target application.

When you use a browser with Access, we redirect you to your identity provider, you login, and we store that token in a cookie. Authenticating from the command line requires a different flow, but relies on the same principles. When you need to reach an application behind Access from your command line, the Cloudflare CLI tool, cloudflared, launches a browser window so that you can login with your identity provider. Once you login, Access will generate a JWT for your session, scoped to your user identity.

Rather than placing that JWT in a cookie, Cloudflare transfers the token in a cryptographically secure handoff to your machine. The client stores the token for you so that you don’t need to re-authenticate each time. The token is valid for the session duration as configured in Access.

When you make requests from your command line, Access will look for an HTTP header, cf-access-token, instead of a cookie. We’ll evaluate the token in that header and on every request.  If you use cURL, we can help you move even faster. cloudflared includes a subcommand that wraps cURL and injects the JWT into the header for you.

Why use cloudflared to reach your application?

With cloudflared and its cURL wrapper, you can perform any cURL operation against an API protected by Cloudflare Access.

  • Control endpoint access for specific users
    Cloudflare Access can be configured to protect specific endpoints. For example, you can create a rule that only a small group within your team can reach a particular URL path. You can apply that granular protection to sensitive endpoints so that you control who can reach those, while making other parts of the tool available to the full team.
  • Download sensitive data
    Placing applications with sensitive data behind Access lets you control who can reach that information. If a particular file is stored at a known location, you can save time by downloading it to your machine from the command line instead of walking through the UI flow.

What’s next?

CLI authentication is available today to all Access customers through the cloudflared tool. Just add the API hostname to your Cloudflare account and enable Access to start building policies that control who can reach that API. If you do not have a Cloudflare Access subscription yet, you can drop us a message here to find out more.